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C. SUMMARY: 



On January 7, 2013, about 1021 Eastern Standard Time, smoke was discovered by cleaning 
personnel in the aft cabin of a Japan Airlines (JAL) Boeing 787-8, JA829J that was parked at a 
gate at Logan International Airport, Boston, Massachusetts. About the same time, a maintenance 
manager in the cockpit observed that the auxiliary power unit (APU) had automatically shut 
down. Shortly afterward, a mechanic opened the aft electronic equipment bay and found smoke 
and flames coming from the APU battery. No passengers or crewmembers were aboard the 
airplane at the time, and none of the maintenance or cleaning personnel aboard the airplane was 
injured. Aircraft rescue and firefighting responded to the battery fire, and one firefighter received 
minor injuries. The airplane had arrived from Narita International Airport, Narita, Japan, as a 
regularly scheduled passenger flight operated as JAL flight 008 and conducted under the 
provisions of 14 Code of Federal Regulations Part 129. 
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D. DETAILS OF THE INVESTIGATION: 

As part of the NTSB investigation, a review was conducted of the Federal Aviation Regulations 
(FARs) and special conditions (requirements) applicable to the 787-8 Main and Auxiliary Power 
Unit (APU) Lithium-Ion Battery and Battery Charger system as well as the corresponding 
certification plan developed by Boeing and approved by the Federal Aviation Administration 
(FAA) that defined the agreed upon methods to be used to demonstrate that the battery and 
battery charger system met applicable FAA and European Aviation Safety Agency (EASA) 
requirements. This factual report documents the relevant FARs, special conditions, and portions 
of the certification plan that pertain to the APU and Main battery and battery charger system, 
specifically identifying those analyses, tests, and inspections that were required to demonstrate 
compliance. 

In addition to documentation of the regulatory requirements and the certification plan, this report 
also documents pertinent sections of the 787-8 Electrical Power System (EPS) safety assessment 
that pertain to the 787-8 Main and APU battery systems, which was developed by Boeing to 
evaluate the design of the EPS for compliance with safety requirements defined by the FAA and 
EASA. 

This System Safety and Certification Group Chairman factual report is intended to supplement 
the NTSB Battery and Airworthiness Group Chairman factual reports. 

D.l Systems Descriptions: 

D.l.l Airplane and Power Conversion System (PCS): 

The Boeing 787-8 is a twin-engine, wide body, commercial airplane. The Main Battery /Battery 
Charger located in the forward Electronic Equipment (E/E) Bay and the APU Battery /Battery 
Charger located in the Aft E/E Bay are part of the Power Conversion System (PCS), which is an 
element of the 787-8 Electrical Power System. 

The Main Battery provides power to selected electrical/electronic equipment for both normal and 
non-normal conditions. Conditions include but are not limited to normal power- up and power- 
down of the airplane, backup power to critical loads, full support of critical 28V loads when all 
active power is lost, and support of battery only braking conditions for normal towing and 
parking as well as emergency operation. 

The APU Battery system provides power to start the APU during both ground and flight 
operations. In addition, the APU provides momentary 28 V hold-up to some essential equipment 
and power to open the APU Door and the APU controller. 

The battery design and part number is identical for both the main and APU positions and these 
units are interchangeable. 
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D.1.2 Lithium Ion Battery and Battery Charger (Main and APU) Description: 

The Li-ion battery that is used for the Main and the APU battery contain 8 sealed lithium ion 
cells that are connected together in series with thermal conductive plates and packaged within an 
aluminum battery box. The battery also includes the battery monitoring unit (BMU), Hall Effect 
current sensor (HECS), temperature sensors, internal non-latching contactor, battery failure 
detection and diode module failure detection (detection of high rate charge current). The BMU, 
which is installed within the battery, incorporates redundant circuits that generate battery status, 
balance cell voltages, and makes battery Built In Test Equipment (BITE) and failure 
annunciation to the battery charger. These protection circuits are designed to protect against 
overcharge, over-discharge, overheating, and ensure proper cell balancing. 

Each battery is charged by a dedicated Battery Charger Unit (BCU). All Battery signal and 
failure information are provided to the aircraft system through the BCU. If an internal battery 
failure is detected by the BMU, an inhibition signal is relayed to the BCU and it will stop all 
charging of the battery and shall annunciate the battery failure at the aircraft level. 

1. The main battery system also includes a Battery, BCU, and Battery Diode Module (BDM). 
The Bus Power Control Unit (BPCU) monitors for failure indications from the Main 
Battery /Battery Charger and reports any failures. The BDM includes a large power diode 
and a battery side interface for the battery charger. The BDM protects the battery against 
high charge current when the Hot Battery Bus is paralleled with another 28 V Dc source via 
the Main Battery Relay (MBR), Electric Brake Power Supply Unit (EBPSU) contactors, or 
other equipment isolation failure. 

2. The APU battery system also includes a Battery, BCU, and a Starter Power Unit (SPU 1 ), a 
BDM is not included or necessary for the APU Battery System. The Remote Data 
Concentrator (RDC) monitors for failure indication from the APU Battery /Battery Charger 
and reports any failures to the BPCU. 

The baseline Li-ion battery is a 50 ampere-hour (end-of-life) lithium-ion (Li-ion) chemistry 
battery. The main and APU batteries are identical, but provide electrical power sources to two 
distinct functional areas. The nominal voltage of the battery is about 29.6 volts and when it is 
fully charged, the voltage is 32.2 volts. 

According to Boeing's System Safety Assessment document for the 787-8 Electrical Power 
System, Li-ion batteries are primarily made up of non-flammable components, however, the 
electrolyte and active material coatings on the negative and positive electrodes contain 
flammable components. 



1 The starter power unit is used during APU starts only. 
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Over-charge of a Li-ion cell can result in the cell entering thermal runaway, which could result 
in the battery cell venting and the generation of smoke and fire. Cell venting with a fire is 
distinct from venting with smoke only; outside of an additional ignition source, over-charge is 
the only known failure condition that can result in venting with fire according to Boeing's 
System safety Assessment. Cell venting with smoke, however, can be initiated by several failure 
modes, including external overheat, external short circuit of appropriate impedance, internal 
short circuit, recharging a battery that has been discharged to a state-of-charge that is too low, 
high rate charging at greater than a 1C (one times the capacity Amp hour rating of the cell), or 
charging at cold temperatures. Each cell has a safety vent 4 that opens when the cells internal 
pressure reaches unsafe levels to eliminate unsafe conditions. 

Each battery charger takes unregulated 28VDC power on its input and converts it to regulated 
DC power output. The output voltage level varies depending on battery state of charge (SOC), to 
between 22VDC at 0% SOC and 32.2V when fully charged. For all voltages, the charger current 
is limited to a maximum output current of 46A. 

The battery charger receives inputs from the BMU such as temperature, cell balance, inhibition 
of discharge and inhibition of charge, etc, and regulates charging accordingly. The battery 
charger, via the Bus Power Control Unit (BPCU) for the main battery and a Remote Data 
Concentrator (RDC) for the APU battery, provide the battery parameters (such as battery current 
and battery voltage) to support the Electrical Flight Synoptic Page and the battery-charger failure 
indications (such as battery state of charge indication for dispatch) to the Engine Indication Crew 
Alerting System (EICAS). 

D.2 Certification Aspects of the Investigation: 

D.2.1 787-8 Type Certification Process and Overview: 

The FAA is responsible for prescribing minimum standards required in the interest of safety for 
the design, material, construction, quality of work, and performance of aircraft, aircraft engines, 
and propellers (Ref. 49USC44701). Product certification is a regulatory process administered by 
the FAA to ensure that aircraft manufacturer's products comply with Federal Airworthiness 
Regulations. Successful completion of the certification process enables the FAA to issue a type 
certificate (TC). To obtain a TC, the manufacturer must demonstrate to the FAA that the aircraft 
or product being submitted for approval complies with all applicable FARs. The FAA 
determines whether or not the applicant has met its responsibility to show compliance to the 
applicable FARs. According to 14 CFR 21.21, an applicant is entitled to a type certificate for an 
aircraft, if: 



Charging above the manufacturer's high voltage specification is referred to as overcharge, (reference Lithium-Ion 
Batteries Hazard and Use Assessment Final Report prepared by Exponent Failure Analysis Associates, Inc., dated 
July 2011.) 

3 Vents are usually formed by including a burst disk in the cell design by including a score mark on the cell (typical 
in prismatic designs), or by adjusting weld strength to allow failure of weld closures at safe venting pressures. 
(Reference Lithium-Ion Batteries Hazard and Use Assessment Final Report prepared by Exponent Failure 
Analysis Associates, Inc., dated July 201 1.) 

4 According to Boeing's System Safety Assessment document 
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(a) The product qualifies under Sec. 21.27; or 

(b) The applicant submits the type design, test reports, and computations necessary to show that 
the product to be certificated meets the applicable airworthiness requirements of the Federal 
Aviation Regulations and any special conditions prescribed by the Administrator, and the 
Administrator finds that upon examination of the type design, and after completing all tests 
and inspections, that the type design and the product meet the applicable requirements of the 
Federal Aviation Regulations, and further finds that they meet the applicable airworthiness 
requirements of the Federal Aviation Regulations. 

The Federal regulations that apply to type certification of transport-category airplanes are 14 
CFR Part 21, 25, 26, 33, 34, and 36. The Part 25 regulations are those concerned with the 
airworthiness standards for transport-category airplanes and are organized into subparts A 
through G. According to 14 CFR 21.21 and FAA Order 81 10.4C 5 , the Federal regulations that 
apply to a specific transport-category airplane are contained in the type certification basis that is 
established by the FAA effective on the date of application per 14 CFR 21.17 a (1). These 
regulations represent the minimum standards for airworthiness; an applicant's design may 
exceed these standards and the applicant's tests and analyses may be more extensive than 
required by regulation. The specific applicable regulatory requirements and how compliance 
will be demonstrated is documented in an FAA approved certification plan. 

The FAA has 10 Aircraft Certification Offices (ACOs) which are responsible for approving the 
design certification of aircraft, aircraft engines, propellers, and replacement parts for those 
products. The certification oversight and approval for the 787-8 was conducted by the Seattle 
ACO. 

D.2.2 Certification History and Basis for the 787-8 Airplane: 

On March 28, 2003, Boeing applied for an FAA type certificate for its new Boeing Model 787-8 
passenger airplane. 

According to the Boeing Model 787-8 Type Certificate Data Sheet 6 (TCDS), the 787-8 airplane 
was granted transport category approval on August 26, 201 1. The applicable certification basis 
was the 14 Code of Federal Regulations (CFR) Part 25 Airworthiness Standards, through 
Amendment 25-119 and amendments 25-120, 25-124, 25-125 and 25-128 with some exceptions 
and special conditions (SC) as noted in the 787-8 TCDS 7 including 25-359-SC for the Lithium 
Ion battery installation. 

The 787-8 FAA certification was also validated by the European Aviation Safety Agency 
(EASA) with the approval granted on August 26, 201 1. Their applicable certification basis was 



5 In June of 2010, this guidance was moved to Order 8110.112. 

6 The Type Certificate Data Sheet (TCDS) is a formal description of the aircraft, engine or propeller. It lists 

limitations and information required for type certification including airspeed limits, weight limits, thrust 
limitations, etc. 

7 Reference Federal Aviation Administration Type Certificate Data Sheet T00021SE, Revision 5, dated January 2, 

2013. 
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Certification Specification (CS) 25, Amendment 1, effective as of December 12, 2005 with 
some Certification Review Items 9 (CRI's) including F-24 for Lithium Ion batteries. 

D.2.3 Roles and Responsibilities in Li-ion Battery Certification: 

Historically, the FAA has relied on a variety of organizational or individual designee programs 
to meet its responsibility to hold the aviation industry accountable to its safety standards. The 
FAA utilizes designees across its scope of responsibilities, such as pilot licensing, mechanic 
certification, pilot medical examinations and aircraft design certification. 

When Congress created the FAA in 1958 to promote the safety of civil aviation, it recognized the 
practical necessity of FAA utilizing private sector expertise to keep pace with the growing 
aviation industry and explicitly gave the agency the authority to delegate certain certification 
activities, as the agency deems necessary, to qualified persons. The designee program itself has 
roots as far back as 1927, and the Federal Aviation Act continued and allowed for the expansion 
of delegations of authority. 

Typical individual designees involved in aircraft design, certification and manufacturing include 
Designated Engineering Representatives (DERs), Designated Manufacturing Inspection 
Representatives (DMIRs), and Designated Airworthiness Representatives (DARs). Delegation 
Option Authorization (DO A), Organizational Designated Airworthiness Representative (ODAR) 
and Designated Alteration Stations (DAS) are examples of organizational delegation programs 
that have been utilized for many years-, or in the case of DOA, for several decades. Recognizing 
the need to expand the scope of approved tasks available to organizational designees; and 
establish a more comprehensive, systems-based approach to managing designated organizations, 
FAA issued a final rule (70 Federal Register 59932) that established the Organization 
Designation Authorization (ODA) program in October 2005. The FAA oversees designee 
activities and any authorized compliance finding made by a designee or delegated organization 
is, in effect, an FAA finding. By November 2009, all companies that had applied for ODA had 
completed the transition as required by the FAA. 

On August 18, 2009, Boeing received ODA approval from the FAA. Boeing transitioned from 
the previous delegated authorizations, Design Organization Approval (DOA) and Organizational 
Delegated Airworthiness Representative (ODAR), during the following weeks. The ODA 
approval included Production Certificate (PC), Type Certificate (TC), and Major Repair, Alteration, 
and Airworthiness (MRA) for current production models and development programs. As defined 
by regulation and FAA procedures, Boeing as the ODA Holder is responsible for showing 
compliance to the regulations. Within Boeing, a team of appointed individuals known as the 
ODA Unit performs limited duties on behalf of the FAA. The processes and authority for the 
ODA Unit are approved by the FAA. A TC ODA unit may make discreet findings as authorized 
by FAA for certain reports or tests in support of type certification programs. However, issuance 
of a type certificate cannot be delegated and is only done by the FAA. 



Reference EASA Type Certificate Data Sheet Number EASA.IMA.l 15 for the Boeing 787-8, Issue 3, dated May 
10, 2012. 

9 Certification Review Items issued by EASA may include requirements similar to FAA Special Conditions. 
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Figure's 1 and 2 below provide a high level illustration of the 787-8 Main and APU battery 
certification process including reference to the process steps and certification tasks for which 
approval was retained by the FAA and those that were delegated to the Boeing ODA (approvals 
and findings of compliance determined by Boeing's ODA Unit). 
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Figure 1 Timeline of the 787-8 Certification Process 
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Figure 2 Certification Tasks and Delegations for the Certification of the 787-8 
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D.2.4 Special Conditions for Lithium Ion Battery and Battery Charger: 

If, during the conceptual design phase, the FAA determines that existing regulations or 
safety standards applicable to the design feature being certified are inadequate or 
inappropriate, it can determine that special conditions are necessary. Title 14 CFR 21.16 
states that if "the airworthiness regulations of this subchapter do not contain adequate or 
appropriate safety standards for an aircraft, aircraft engine, or propeller because of a novel 
or unusual design feature of the aircraft, aircraft engine or propeller," the FAA can initiate 
rulemaking to produce standards that establish a level of safety equivalent to existing 
regulations. Novel or Unusual features are unique to a specific certification project, are 
judged relative to the existing standards, and are treated on a case-by-case basis. Special 
conditions begin with an issue paper and are developed by the ACO, with full participation 
by the applicant and other relevant participants. Once developed, the proposed special 
condition is forwarded to the appropriate directorate, which reviews it and coordinates 
review, approval, and publication of the rule change in the Federal Register. The Boeing 
Model 787-8 airplane would be the first large transport category airplane to utilize Li-ion 
main and auxiliary power unit (APU) start batteries 10 . Because rechargeable lithium ion 
batteries were considered a novel and unusual design feature in transport category 
airplanes, this proposed use of Li-ion batteries on the Model 787-8 airplane prompted the 
FAA to review the adequacy of the existing battery regulations. To facilitate this review 
and corresponding special conditions that would likely be required to address inadequacies 
in the current battery regulations, the FAA developed an Issue Paper, SE-9, "Special 
Condition: Lithium-Ion Battery Installations," to provide a structured means to track the 
resolution of the relevant technical, regulatory, and administrative issues that would arise 
in working with Boeing to certify the Main and APU Li-ion battery installations. 

The Issue Paper noted that increased use of nickel-cadmium batteries in small airplanes had 
resulted in increased incidents of battery fires and failures, which led to additional 
rulemaking affecting large transport category airplanes as well as small airplanes 11 . At the 
time of the FAA's review of the proposed 787-8 design, there was limited experience with 
the use of rechargeable lithium ion batteries in applications involving commercial aviation. 
However, the FAA noted that other users of this technology, ranging from wireless telephone 
manufacturing to the electric vehicle industry, have noted safety problems with lithium ion 
batteries, which included overcharging, over-discharging, and flammability of cell 
components. The FAA cited the following issues in its Issue Paper: 

(1) Overcharging 

In general, lithium ion batteries are significantly more susceptible to internal failures 
that can result in self-sustaining increases in temperature and pressure than their 
nickel-cadmium or lead-acid counterparts. This is especially true for overcharging, 
which causes heating and destabilization of the components of the cell, leading to 
formation (by plating) of highly unstable metallic lithium. The metallic lithium can 



According to the FAA's notice of final Special Conditions, the 787-8 design included planned use of 
lithium ion batteries for the following applications: Main and Auxiliary Power Unit (APU) Battery/Battery 
Charger System, Flight Control Electronics, Emergency Lighting System, and Recorder Independent 
Power Supply. 

11 On September 1, 1977, and March 1, 1978, respectively, the FAA issued 14 CFR 25.1353 c(5) and c(6), 
governing nickel-cadmium battery installations on large transport category airplanes. 
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ignite, resulting in a self-sustaining fire or explosion. Finally, the severity of thermal 
runaway from overcharging increases with increasing battery capacity, in part because 
of the greater quantity of electrolytes in large batteries and partly as a result of the 
greater energy storage capacity of the larger batteries. 

(2) Over-discharging 

Discharge of some types of lithium ion batteries beyond a certain voltage (which is 
determined by many technical factors including cell electrolyte chemistry, discharge 
rate, time spent below that voltage, temperature) can cause corrosion of the electrodes 
of the cell, resulting in loss of battery capacity that cannot be reversed by recharging. 
This loss of capacity may not be detected by the simple voltage measurements 
commonly available to flight crews as a means of checking battery status. This is a 
problem shared with nickel-cadmium batteries. 

(3) Flammability of Cell Components 

Unlike nickel-cadmium and lead-acid batteries, some types of lithium ion batteries use 
liquid electrolytes that are flammable. The electrolytes can serve as a source of fuel 
for an external fire, if there is a breach of the battery container. 

The FAA's review found that the existing airworthiness regulations did not contain 
adequate or appropriate safety standards for lithium-ion batteries. In particular, the FAA 
noted that, in general, lithium ion batteries are "significantly more susceptible to internal 
failures that can result in self-sustaining increases in temperature and pressure (thermal 
runaway)" than nickel-cadmium or lead-acid batteries. Also, unlike nickel-cadmium and 
lead-acid batteries, some types of lithium- ion batteries use liquid electrolytes that are 
flammable. As a result, the FAA issued a notice of proposed special conditions (72 
Federal Register 21 162, April 30, 2007), which detailed the issues of concern from the 
issue paper and solicited public comment on the proposed special conditions. Responding 
to public comments received, on October 11, 2007, the FAA published nine special 
conditions for the 787-8 lithium-ion battery installation (72 Federal Register 57842) to 
mitigate safety problems caused by overcharging, over discharging, and flammability of 
cell components. The intent of the nine special conditions was to establish appropriate 
airworthiness standards for lithium ion battery installations in the 787-8 and to ensure, as 
required by 14 CFR 25.601, that the battery installations were not hazardous or unreliable. 
To address these concerns, the special conditions adopted the following requirements: 

• Those sections of 14 CFR 25.1353 applicable to lithium ion batteries. 

• The flammable fluid fire protection requirements of 14 CFR 25.863. In the past, this 
rule was not applied to batteries of transport category airplanes, since the electrolytes 
used in lead-acid and nickel-cadmium batteries were not flammable. 

• New requirements to address the hazards of overcharging and over-discharging that 
are unique to lithium ion batteries. 

• New maintenance requirements to ensure that batteries used as spares are maintained 
in an appropriate state of charge. 

Accordingly, "Special Conditions: Boeing Model 787-8 Airplane; Lithium-Ion Battery 
Installation," 25-359-SC, became effective on November 13, 2007 as part of the type 
certification basis for the Boeing Model 787-8 airplane. 25-359-SC states: 
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In lieu of the requirements of 14 CFR 25.1353(c)(1) through (c)(4), 
the following special conditions apply. Lithium ion batteries on the 
Boeing Model 787-8 airplane must be designed and installed as 
follows: 

(1) Safe cell temperatures and pressures must be maintained during any 
foreseeable charging or discharging condition and during any failure of 
the charging or battery monitoring system not shown to be extremely 
remote. The lithium ion battery installation must preclude explosion in 
the event of those failures. 

(2) Design of the lithium ion batteries must preclude the occurrence of self- 
sustaining, uncontrolled increases in temperature or pressure. 

(3) No explosive or toxic gases emitted by any lithium ion battery in normal 
operation, or as the result of any failure of the battery charging system, 
monitoring system, or battery installation not shown to be extremely 
remote, may accumulate in hazardous quantities within the airplane. 

(4) Installations of lithium ion batteries must meet the requirements of 14 
CFR 25.863(a) through (d). 

(5) No corrosive fluids or gases that may escape from any lithium-ion battery 
may damage surrounding structure or any adjacent systems, equipment, 
or electrical wiring of the airplane in such a way as to cause a major or 
more severe failure condition, in accordance with 14 CFR 25.1309 (b) 
and applicable regulatory guidance. 

(6) Each lithium ion battery installation must have provisions to prevent any 
hazardous effect on structure or essential systems caused by the 
maximum amount of heat the battery can generate during a short circuit 
of the battery or of its individual cells. 

(7) Lithium ion battery installations must have a system to control the 
charging rate of the battery automatically, so as to prevent battery 
overheating or overcharging, and, 

(i) A battery temperature sensing and over-temperature warning system 
with a means for automatically disconnecting the battery from its 
charging source in the event of an over-temperature condition, or, 

(ii) A battery failure sensing and warning system with a means for 
automatically disconnecting the battery from its charging source in 
the event of battery failure. 

(8) Any lithium ion battery installation whose function is required for safe 
operation of the airplane must incorporate a monitoring and warning 
feature that will provide an indication to the appropriate flight 
crewmembers whenever the state-of-charge of the batteries has fallen 
below levels considered acceptable for dispatch of the airplane. 
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(9) The Instructions for Continued Airworthiness required by 14 CFR 

25.1529 must contain maintenance requirements for measurements of 
battery capacity at appropriate intervals to ensure that batteries whose 
function is required for safe operation of the airplane will perform 
their intended function as long as the battery is installed in the 
airplane. The Instructions for Continued Airworthiness must also 
contain procedures for the maintenance of lithium ion batteries in 
spares storage to prevent the replacement of batteries whose function 
is required for safe operation of the airplane with batteries that have 
experienced degraded charge retention ability or other damage due to 
prolonged storage at a low state of charge. 

Note : These special conditions are not intended to replace 14 CFR 25.1353(c) in the 
certification basis of the Boeing 787-8 airplane. These special conditions apply 
only to lithium-ion batteries and their installations. The requirements of 14 CFR 
25.1353(c) remain in effect for batteries and battery installations of the Boeing 
787-8 airplane that do not use lithium ion batteries. 

D.2.5 Minimum Operational Performance Standards for Rechargeable Lithium 
Battery Systems DO-311: 

DO-31 1, "Minimum Operational Performance Standards for Rechargeable Lithium 
Battery Systems," which was developed by RTCA Special Committee SC-211, was issued 
March 13, 2008. This document contains Minimum Operational Performance Standards 
(MOPS) for rechargeable Lithium battery systems to be used as permanently installed 
power sources on aircraft. Compliance with these standards is of one approach to assure 
that the Lithium battery will perform its intended function(s) safely, under conditions 
normally encountered in aeronautical operations. These standards apply to the chemical 
composition, cell size, cell construction, cell interconnection methods within batteries, 
venting provisions, operational and storage environments, packaging, handling, test, 
storage and disposal of rechargeable Lithium batteries, installed separately or in avionics 
equipment aboard aircraft. The standard was developed by SC-211, which included 
representatives from industry and government, including representatives from Boeing and 
the FAA. 

The FAA indicated that because this standard was released after the effective date of their 
Special Conditions on Li-Ion batteries, 25-359-SC, it did not become a requirement for the 
787-8 Main and APU battery certification. 

D.2.6 Boeing Certification Plan for Demonstrating Compliance to Regulatory 
Requirements: 

A review of the Boeing 787 Electrical Power Systems Certification Plan (CP), which 
includes the power conversion system, was conducted during this investigation. The 
original CP was approved by the FAA on December 22, 2005. This CP presents a high 
level system description of the electrical power systems, which includes the battery and 
battery charger system, and defines the methods that are to be used to show compliance to 
applicable FAA and EASA requirements. . After the FAA approved the Certification 
Plan, reviewed the qualification test procedures and subsequently approved the requests 
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for qualification test conformity inspections, final approval of several test reports and the 
associated finding, was delegated for the Boeing ARs to perform on behalf of the FAA. 
ARs exercise their authority and responsibility by signing FAA Form 8100-9, Statement of 
Compliance with Airworthiness Standard. 

According to the CP, the Lithium Ion Battery, Boeing part number B3856-901R, was to be 
supplied by GS Yuasa in Kyoto, Japan, and the battery charger unit, Boeing part number 
C3808-900R, was to be supplied by Securaplane in Tucson Arizona. 

Table 1 below provides a list of the pertinent tests and analyses presented by Boeing, 
approved by a Boeing AR, and accepted by FAA to demonstrate compliance to various 
certification requirements (both FAA and EASA) as part of the certification plan. 
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Table 1 Certification Deliverables, 787-8 Battery and Battery Charger 





Annlirahlp F"ARs 


Annlicahlp CSs 


Qualification Test, Battery/BCU Subsystem 


25.601, 25.1301(a), 25.1301(d), 25.1309(a), 
25.1309(g), 25.1351(a)(2), 25.1351(b)(4), 
25 1431(a) 25 1431(d) 25Add-K25 1 1 


25.601, 25.1301(a), 25.1309(a)(1), 

25 1351fa)f2) 25 135KW4) 
25.1360(a), 25.1431(a), 25.1431(d) 


Qualification Test, Mechanical Battery with Contactor 


25.601, 25.1301(a), 25.1301(d), 25.1309(a), 
25 1309(a) 25 1431(a) 25Add-K25 1 1 
FAA/787/SC/25-359-SC 


25.601, 25.1301(a), 25.1309(a)(1), 
25.1431(a), EASA/787/SC-CRI_F-24 


Qualification Test, Electromagnetic Interference (EMI), 
Battery with Contactor 


25.1301(d), 25.1309(a), 25.1309(g), 25App- 
K25 1 1 FAA/787/SC/25-359-SC 


25.1309(a)(1), 
EASA/787/SC-CRI_F-24 


Qualification Test, Climatical, Battery with Contactor 


25.601, 25.1301(a), 25.1301(d), 25.1309(a), 
25.1309(g), 25.1431(a), 25App-K25.1.1, 
FAA/787/SC/25-359-SC 


25.601, 25.1301(a), 25.1309(a)(1), 
25 1431(a) EASA/787/SC-CRI F-24 


Personnel Hazard Justification for Main/APU Battery 


N/A 


25.1360(a) 


Qualification Analysis, Red Label to Production 
Configuration for Main/APU Battery 


25.1301(a), 25.1301(d), 25.1309(a), 
25.1309(g), 25.1431(a), 25App-K25.1.1, 
FAA/787/SC/25-359-SC 


25.1301(a), 25.1309(a)(1), 25.1431(a), 
EASA/787/SC-CRI_F-24 


BCU Q2 Qualification Test, Electrical Performance, 
Battery Charger Unit 


25.601, 25.1301(a), 25.1301(d), 25.1309(a), 
25.1309(g), 25.1351(a)(2), 25.1351(b)(4), 
25 1431(a) 25 1431(d) 25Add-K25 1 1 
FAA/787/SC/25-359-SC 


25.601, 25.1301(a), 25.1309(a)(1), 
25.1351(a)(2), 25.1351(b)(4), 
25.1360(a), 25.1431(a), 25.1431(d), 
EASA/787/SC-CRI_F-24 


BCU Q2 Qualification Test, Climatic, Battery Charger 
Unit 


25.601, 25.1301(a), 25.1301(d), 25.1309(a), 
25 1309(e) 25 1431(a) 25Add-K25 1 1 
FAA/787/SC/25-359-SC 


25.601, 25.1301(a), 25.1309(a)(1), 
25.1431(a), EASA/787/SC-CRI_F-24 


BCU Q2 Qualification Test, Mechanical, Battery Charger 
Unit 


25.601, 25.1301(a), 25.1301(d), 25.1309(a), 
25.1309(g), 25.1431(a), 25App-K25.1.1, 
FAA/787/SC/25-359-SC 


25.601, 25.1301(a), 25.1309(a)(1), 
25.1431(a), EASA/787/SC-CRI_F-24 


BCU Q2 Qualification Test, Electromagnetic Interference 
(EMI)/Electromagnetic Conductivity (EMC), BCU 


25.1301(d), 25.1309(a), 25.1309(g), 25App- 
K25.1.1, FAA/787/SC/25-359-SC 


25.1309(a)(1), 
EASA/787/SC-CRI_F-24 
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D.3 787-8 Lithium-Ion Battery System Safety Assessment: 

D.3.1 Overview of System Safety Assessment Process Description: 

The process for developing and certifying a safety-critical system must provide assurance 
that all significant single failure conditions have been identified and that all combinations 
of failures which lead to hazardous or catastrophic airplane level effects have been 
considered and appropriately mitigated. Aircraft manufacturers provide this assurance 
through their safety assessment processes. 

The basic structure of a system development process can be represented by a V-diagram, 
where time is represented horizontally (left to right) and system hierarchy is represented 
vertically (Reference Figure 3). Initially (top left), the top level design requirements 
(payload, range, passenger capacity, performance, etc) for the aircraft are selected. The 
airplane requirements are then broken down into airplane-level functions (e.g. provide 
power generation and distribution); airplane-level functions to system functions (e.g. 
provide electrical power to user systems); system- level functions to systems (e.g. provide 
backup electrical power); systems to subsystems (e.g. provide battery charging) in a top- 
down process. Following this system development process requirements for each part 
item or piece of equipment are identified with each level providing validation of the level 
above. Validation is the process of ensuring that the requirements are sufficiently correct 
and complete. The right side of the V diagram involves a series of bottom-up evaluation 
activities to ensure the requirements are verified as met at each level in integration of the 
final product. Verification is the process of ensuring that the final product meets the 
design requirements. Verification activities may include analysis and testing the 
individual item of equipment (e.g. battery and/or battery charger) and then progressively 
integrating the equipment into a complete system and even flight testing for verification of 
a fully integrated system on the aircraft. 



System Safety and Certification Group Chairman's Factual Report 
NTSB Incident Number: DCA13IA037 
Page 16 of 21 



Figure 3 V-diagram for a System Development Process 
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Safety assessments are a primary means of compliance for systems (as opposed to identifying 
structures or airplane performance characteristics) that are critical to safe flight and operation. 
Safety assessments proceed in a stepwise, data-driven fashion, analogous to the system 
development process described above. Starting with airplane functions, functional hazard 
assessments are performed to identify the failure conditions associated with each function. 
Systems functional hazard analyses are performed for system level functions. Preliminary 
safety assessments are performed as the system is developed adding more specific design and 
implementation detail to address specific hazards The bottom-up verification by safety analysis 
starts with an analysis of the components of a system to ensure single failures do not result in 
significant effects. Combinations of failures are logically combined to develop probability of a 
failure and checked to ensure they are commensurate with the criticality of the failure 
condition. Thus, the final definition and characterization of a safety-critical system is verified 
by the result of the analyses conducted during a safety assessment. 

Safety assessments are conducted by the applicant, and its suppliers, and are reviewed and 
accepted by the FAA. The safety assessment process is outlined in AC 25. 1309-1 A and 
described in detail in SAE ARP4761. Although the safety assessment process outlined in the 
AC is not mandatory, applicants who choose not to conduct safety assessments must 
demonstrate compliance in another, FAA-approved way (for example, by conducting ground or 
flight tests). 

A functional hazard assessment (FHA) is a systematic examination of a system's functions and 
purpose, and it typically provides the initial, top-level assessment of a design and addresses the 
operational vulnerabilities of the system function. The FHA is therefore used to establish the 
safety requirements that guide system architecture design decisions. Performed independently 
of any specific design, an FHA evaluates what would occur if the function under question was 
lost or malfunctioned and classifies that effect to prioritize focus on the most serious outcomes. 
An FHA is conducted early in the design and development cycle to identify failure conditions 
and classify them by severity, beginning at the airplane level and working down to individual 
systems. The latest draft of the upcoming revision to AC 25.1309-1A includes five severity 
classes that are used to classify the effect of loss or malfunction as part of an FHA. These 
classes are: no safety effect, and minor, major, hazardous, and catastrophic. The differences 
among the classes are associated with effects on the airplane, occupants, and crew. 

Once the hazard classification of a system is established, the applicant conducts system- 
specific analyses to identify and evaluate failure conditions and identify ways either to 
eliminate the adverse effects of a failure or to ensure that a failure probability is inversely 
proportional to its hazard classification. Analytic and qualitative methods for conducting 
safety assessments include functional hazard assessments, preliminary system safety 
assessments, and system safety assessments. Techniques that may be used to conduct the 
safety assessments include fault tree analyses and failure modes and effects analyses. 

The FHA may be incorporated in the certification plan for FAA review early in the 
development process. The safety requirements derived from the FHA and the Preliminary 
Systems Safety Analysis are used as input for system safety assessments. 

A system safety assessment is a systematic evaluation of a design solution and implemented 
system and can be accomplished using a number of different techniques: qualitative and 
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quantitative fault tree analysis (FTA), failure modes and effects analysis (FMEA), failure 
modes and effects summary. An FTA is a structured, deductive, top-down graphical analysis 
that depicts the logical relationships between each failure condition and its primary causes and 
uses the results of the FMEA as the basic events in the FTA analysis. A FMEA provides a 
qualitative and quantitative way to identify the effects of a single function or system failure at 
the next-higher level of a system. 

D.3.2 Functional Hazard Assessment: 

Boeing performed a functional hazard assessment (FHA) as part of their evaluation of the 787-8 
Electrical Power System Safety. The FHA was performed to determine the potential hazards that 
various failuresof electrical system components could introduce to the airplane and its 
occupants. The functional hazard assessment identified and classified, pursuant to the 
guidance in AC 25. 1309-1 A, two hazards associated with the main and APU lithium-ion 
battery: "battery vents smoke/fire," which was classified as catastrophic, 12 and "battery vent 
and/or smoke (without fire)," which was classified as hazardous. 13 

On the basis of the results of the functional hazard assessment, Boeing defined failure and 
mitigation requirements for the main and APU lithium- ion battery; three of the requirements 
related to smoke, gas, and electrolyte release are shown in table 2. 



Table 2 Battery/Battery Charger Failure Detection/Mitigation Requirements 



Requirement 


Description of Requirement 


1 


The battery shall have a probability of less than 1 x 10" 7 for gas emission. 


2 


The battery shall have a probability of less than 1 x 10" 7 for smoke emission. 


3 


Battery shall be designed to prevent spilling flammable fluid, a hazardous 
event with occurrence with a probability of less than 10" 9 . 



D.3.3 System Safety Assessment of the Main and APU Li-ion Battery Systems: 

Boeing's 787-8 System Safety Assessment (SSA) presents the overall safety analysis of the 787-8 
Electrical Power System (EPS), which was used to evaluate the design of the EPS for compliance with 
safety requirements derived from Federal Aviation (CFR 14 Part 25), EASA Certification Specifications 
(CS) and accompanying advisory material. Included in their SSA are sections that provide a description 
of the Main and APU battery and their battery charger, the Lithium-Ion battery failure modes, the 
batteries design and qualification, applicable special condition (25-359-SC), Functional Hazard 
Assessment (FHA) that was performed as part of the 787-8 Electrical Power System Safety Analysis, 
fault tree documentation, and an airplane level safety assessment. 



The harmonized requirements for 14 CFR Part 25.1309 define a catastrophic event as one that normally 
involves a hull loss with multiple fatalities and is assigned an allowable qualitative probability of being extremely 
improbable and an average quantitative probability of less than 1 x 10" 9 per flight hour. 

13 The harmonized requirements for 14 CFR Part 25.1309 define a hazardous event as one that normally involves 
a large reduction in functional capability or safety margins of the airplane with serious or fatal injury to a small 
number of passengers or cabin crew along with physical distress or excessive workload impairing the ability of 
the flight crew and is assigned an allowable qualitative probability of being extremely remote and an average 
quantitative probability of less than 1 x 10" 7 per flight hour. 
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Boeing's 787-8 electrical power system safety assessment also included an analysis of lithium- 
ion battery failure modes. This analysis determined that overcharging was the only known 
failure mode that could result in cell venting with fire. As a result, Boeing established 
additional design requirements to ensure that the likelihood of occurrence of an overcharge 
event was extremely improbable 16 . Boeing further determined that cell venting without fire 
could be initiated by several different failure modes, including external overheating, external 
short circuit of appropriate impedance, internal short circuit, recharging a battery that has been 
over discharged, a high rate of charging at greater than a 1C (one times the capacity Ahr rating 
of the cell), or charging at cold temperatures. To evaluate the effect of cell venting resulting 
from an internal short circuit, Boeing performed testing that involved puncturing a cell with a 
nail to induce an internal short circuit. This test resulted in venting with smoke but no fire. In 
addition to this testing and to assess the likelihood of occurrence of cell venting, Boeing 
acquired information from other companies about their experience with the use of similar 
lithium battery cells. Based on this information, Boeing assessed that the likelihood of 
occurrence of cell venting would be about one in ten million flight hours. 

On the basis of these analyses and tests, Boeing incorporated several safety features inside and 
outside of the battery that were designed to prevent the conditions of cell venting and cell venting 
with fire. These features include: 

• A dedicated battery charger that charges within very precise voltage and current limits. 

• Cell balancing circuits to ensure all the cells in a battery are charged up equally and are within 
safe voltage limits. 

• Battery circuits that monitor cell and battery voltages and temperatures and control the battery 
charger accordingly. 

• An internal safety contactor to disconnect the battery in case of any high voltage conditions. 

• A battery diode module (Main battery only, the APU battery has no other possible charge 
sources) that prevents charging of the battery from any other sources other than the dedicated 
battery charger. 

• Cell assembly processes that prevent, detect, and eliminate contamination as a source of cell 
internal short circuiting. 

• Operation in a suitable thermal environment including protection from cargo fire threats via an 
insulating liner. 

• Cell designed to be tolerant to external short circuit conditions, by either fusing internally if the 
current is too high or able to withstand discharging fully into a fault without generating fire. 
Additionally, airplane wiring is routed and protected to minimize the probability of an external 
short circuit occurring. 

Overall compliance with applicable 787-8 main and APU lithium-ion battery safety 
requirements was shown through formal analyses and tests. In addition to those noted above, 
theses analyses and tests were performed by Thales/GS-Yuasa and reviewed by Boeing project 
engineering, Safety Group, Reliability and Maintainability engineering, and the Boeing 
Authorized Representatives. Formal analyses included the Battery Functional Hazard 



The risk of fire was addressed through overcharge protections. For example, Boeing required that the battery 
monitoring unit when combined with the overall battery protection subsystem shall prevent undetected over- 
charge (over- voltage) a catastrophic event with a probability of occurrence of less than 1 x 10" 9 . 
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assessment (FHA) , Fault Tree Analysis (FTA ), Failure Mode and Effects Analysis 
(FMEA 19 ) and the Battery /Battery Charger System Safety Assessment (SSA 20 ). 

Battery testing consisted of full-performance, environmental qualification, and destructive 
tests. The destructive tests included external short circuit (low and moderate impedance shorts 
at battery terminals), overcharge (charge battery at 36 volts for 25 hours), high temperature 
storage (185° F for 18 hours), and over discharge (discharge battery to zero volts) tests. Boeing 
noted that they found no evidence of cell-to-cell propagation failures or fire resulting in these 
tests. 

Boeing's safety assessment report noted that endurance testing, during which the battery is 

21 

cycled and exposed to various operating temperatures over time, was also performed . At the 
conclusion of its testing and safety assessment process, Boeing prepared documented 
compliance data supporting each of the nine items of Special Condition, 25-359-SC. 



Mike Hauf 

Aircraft System Safety Engineer 



The FHA was conducted by Thales Avionics Electrical Systems. 

18 The FTA was conducted by Thales Avionics Electrical Systems and GS-Yuasa. 

19 The FMEA was conducted by Thales Avionics Electrical Systems, and GS-Yuasa 

20 The BCU and battery SSA was conducted by Thales Avionics Electrical Systems. 

21 Endurance testing was not a certification requirement, but was performed at Boeing's option. 
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